This is a discussion on Windows SSH client that uses tickets not obtained from AD login - Kerberos ; Hi,
Do you know any windows ssh client that can use
gssapi authentication and not using SSPI(used by
vintela and CSS putty versions)wherein it uses tickets
that were obtained from an Active Directory login? I
have downloaded KFW from MIT ...

Windows SSH client that uses tickets not obtained from AD login

Hi,
Do you know any windows ssh client that can use
gssapi authentication and not using SSPI(used by
vintela and CSS putty versions)wherein it uses tickets
that were obtained from an Active Directory login? I
have downloaded KFW from MIT and I have successfully
obtain tickets using Leash. I tried to use vintela's
putty but I don't know how to tell it where Leash put
my tickets. The vintela docs says it will use the
tickets obtained upon an Active Directory login. In
our case, we don't use AD service. BTW, just curious,
KFW says it places the tickets obtained from KDC
inside the memory of the computer, I remembered my
tickets when using kinit places it in /tmp of my unix
box. Is there a security issue here regarding the use
of /tmp as a storage of tickets against placing it in
the memory?

Re: Windows SSH client that uses tickets not obtained from AD login

Kermit 95 provides
support for SSH with GSS and it derives its tickets from KFW.
The version distributed by Columbia University is old and
not quite up to date but it works.

jay alvarez wrote:
> Hi,
> Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service. BTW, just curious,
> KFW says it places the tickets obtained from KDC
> inside the memory of the computer, I remembered my
> tickets when using kinit places it in /tmp of my unix
> box. Is there a security issue here regarding the use
> of /tmp as a storage of tickets against placing it in
> the memory?
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

Hi Jeff,
I've already been to that site as most of my google
searches points me to it, but my problem is that the
place I work in is a government institution which
benifits mostly from tools that are opensource and
free. Is there a freeware version of kermit?

--- Jeffrey Altman wrote:
> Kermit 95
> provides
> support for SSH with GSS and it derives its tickets
> from KFW.
> The version distributed by Columbia University is
> old and
> not quite up to date but it works.
>
>
>
> jay alvarez wrote:
> > Hi,
> > Do you know any windows ssh client that can use
> > gssapi authentication and not using SSPI(used by
> > vintela and CSS putty versions)wherein it uses
> tickets
> > that were obtained from an Active Directory login?
> I
> > have downloaded KFW from MIT and I have
> successfully
> > obtain tickets using Leash. I tried to use
> vintela's
> > putty but I don't know how to tell it where Leash
> put
> > my tickets. The vintela docs says it will use the
> > tickets obtained upon an Active Directory login.
> In
> > our case, we don't use AD service. BTW, just
> curious,
> > KFW says it places the tickets obtained from KDC
> > inside the memory of the computer, I remembered my
> > tickets when using kinit places it in /tmp of my
> unix
> > box. Is there a security issue here regarding the
> use
> > of /tmp as a storage of tickets against placing it
> in
> > the memory?
> >
> > Thanks.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

another option would be to use ssh under cygwin - what actually I do.
You only have to compile ssh yourself with either Heimdal, or with MIT
Kerberos. You can obtain TGT using either kinit, or copy TGT from LSA to
an ording credentials cache using ms2mit program from KfW.

Re: Windows SSH client that uses tickets not obtained from AD login

jay alvarez wrote:
> Hi,
> Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service.

The version of putty at: http://www.sweb.cz/v_t_m/ works with tickets
obtained by MIT KfW. However, it only works with gssapi-with-mic, so
you need to have OpenSSH 3.8 or higher on the server side. I have been
using it for over a year without too many problems. It works quite well
and the author even updated the source patch and the binary the two
times I've asked when security fixes were released for putty.

Re: Windows SSH client that uses tickets not obtained from AD login

jay alvarez wrote:
> Hi,
> Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)

There's a version of the CSS putty modifications which can use MIT
Kerberos for Windows. Download their Putty Installer, install it, and
then change the dll which it uses for Kerberos support by renaming
C:\Program Files\PuTTY\plugin_mitgss.dll as
C:\Program Files\PuTTY\plugingss.dll

In my experience, there's a problem with newer versions of the code not
working with MIT Kerberos, but version 0-55b1 works fine.

jay alvarez wrote:
> Hi,
> Do you know any windows ssh client that can use
> gssapi authentication and not using SSPI(used by
> vintela and CSS putty versions)wherein it uses tickets
> that were obtained from an Active Directory login? I
> have downloaded KFW from MIT and I have successfully
> obtain tickets using Leash. I tried to use vintela's
> putty but I don't know how to tell it where Leash put
> my tickets. The vintela docs says it will use the
> tickets obtained upon an Active Directory login. In
> our case, we don't use AD service. BTW, just curious,
> KFW says it places the tickets obtained from KDC
> inside the memory of the computer, I remembered my
> tickets when using kinit places it in /tmp of my unix
> box. Is there a security issue here regarding the use
> of /tmp as a storage of tickets against placing it in
> the memory?
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>